Nowadays, alongside cloud platforms, mobile applications, and Docker containers, a new trendy architectural style is gaining more and more popularity. This architecture is called microservices. With microservices, instead of having a heavy monolithic application, it is considered preferable to have many small, specialized services, which are easier to manage, update, deploy, test and so on. This seems like a natural solution and therefore a lot of monoliths in different companies were already split into smaller services, and successfully moved to production from there.

But despite its obvious advantages, this style has its own challenges too. One of them is choosing appropriate integration mechanisms between these services and making sure that they actually work together, as any of these services solves its own problem and doesn't provide much value alone.

One of the most popular mechanisms for integrating different parts of an application together is RESTful services. RESTful services provide simple, lightweight, and reliable ways to exchange data. They can be implemented with well-known protocols (like HTTP) and data formats (JSON, for example) and they are supported by a wide range of tools.

Another issue with microservices is security risks, as services now can be deployed on different machines and the information they send over the network might be intercepted, corrupted or compromised. There are a variety of security mechanisms for ensuring sensitive data protection, including SSL, Basic Authentication, Windows Authentication, Token-based Authentication, and so on.

Today, we will build a simple example of an Apache JMeter™ test project for a REST Service protected with Windows Authentication and deploy it to IIS. IIS is a Microsoft recommended Web Server on a Windows platform (more details here). Then, we enable Windows Authentication and create a test project in JMeter to test if the authentication mechanism works as it was intended. We will be using Visual Studio 2017 Version 15.3.0 and JMeter version 3.2.

Windows Authentication is a mechanism that provides a secure authentication mechanism over a non-secure network by implementing authentication protocols like NTML and Kerberos. Windows Authentication can authenticate users based on their current login information, without additionally prompting them for a username and password. As NTML and Kerberos are part of Windows Active Directory and because of some limitations, like lack of support of the HTTP Proxy by NTLM, Windows Authentication is the perfect choice for securing intranet applications.

Preparation

Create a REST Service and deploy it locally. The service that is used in the current tutorial can be found by following this URL.

Build and publish the service into IIS (pretty good documentation for how to do this can be found here).

Enable Windows Authentication in IIS for the service under the test. I use VideoService here but any REST service hosted in IIS will be fine. Select the service in the list of websites and click the Authentication icon.

Disable Anonymous Authentication.

Browse the VideoService website in any browser and navigate to /api/movie. With my current configuration, it is http://localhost:8804/api/movie. After providing a username and password you should see the movies list, as in the screenshot below:

Testing REST APIs with JMeter

As a REST API call is a simple HTTP request, we need the HTTP Request Sampler to do the service call.

To encapsulate an HTTP Request Sampler, we need to add a Thread Group.

Add an HTTP Request sampler to the newly created Thread Group.

Configure the HTTP Request Sampler to send a request to the REST Service you are testing (pay attention to the Server Name, Port Number, Method, and Path fields, as they should contain data that is relevant to the service under test).

Add a listener to catch the requests results. For this case, I chose to use the View Results Tree listener.

Save and run the test from the Run -> Start menu item. As the service was configured to use Windows Authentication, the expected result will be error code 401 (Unauthorized) as we didn't provide any user information.

JMeter uses the HTTP Authorization Manager to provide user information in scenarios when the service under test uses authentication mechanisms. Let's add the HTTP Authorization Manager to our test group.

As the service under test is protected with Windows Authentication, the Authorization Manager should be configured accordingly.

A base URL is not required for Windows Authentication, so it is blank in our tutorial.

Username and Password are the Windows credentials in the domain that the test server joined.

Domain is the domain name our server is added to.

Realm - fill in only if you use Realm authentication.

Mechanism indicates the type of authentication. Possible values are BASIC_DIGEST and Kerberos. We use BASIC_DIGEST as we are not using Kerberos.

Add a response assertion to check the HTTP response code after each request. The goal is to verify that the request has succeeded. The expected result is HTTP code 200.

Check that the radio buttons combination appears as in the screenshot below, to verify that the Response Code equals 200. Add a pattern to check with the Add button and type in 200, which is the expected response code.

Run the test group to make sure that data from service under the test reached JMeter. Make sure that the tests are green and that the assertion condition has been met.

After the test run, the test results should look like the provided screenshot.

JMeter Negative Test Creation

Let's add a negative test scenario to demonstrate that all requests that are not configured properly will fail to reach the REST service, to ensure that our authentication is working properly.

Repeat the steps from before, but in the step "Configure the HTTP Authorization Manager" enter incorrect user credentials.

Add a response assertion as described in the previous paragraph.

Let's configure an assertion to verify the response code from the negative test. As user credentials in the test configuration are invalid, the expected response code is 401 (unauthorized). To verify that, select the Response Code radio button, to check the Response HTTP Code, select Equals as the check pattern.

There is a small issue in this scenario. As the response code is 401, JMeter might take it as a service access error.

To avoid that, please check the Ignore Status checkbox so that the 401 Code won't raise an error (as it is an expected result). Add a pattern with the Add button and enter 401 (unauthorized), to verify that the response code equals 401.

Run the test group and make sure that new test response code is 401 (unauthorized). Make sure that test result is green and that the assertion condition has been met.

Now the results should look like the screenshot below.

That's it! You now know how to perform REST API testing for a service protected with Windows Authentication. Learn more about advanced JMeter usage from our free JMeter Academy.

Your API is not enough. Learn why (and how) leading SaaS providers are turning their products into platforms with API integration in the ebook, Build Platforms, Not Products from Cloud Elements.